Dld Product Billboard

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears to be a coherent 1688 product-ranking lookup tool, but users should notice that it uses a LinkFox API key and sends queries to LinkFox endpoints.

This skill looks benign for querying 1688 bestseller data. Before installing, be aware that it depends on a LinkFox API key and sends your product search parameters to LinkFox; avoid including sensitive business or personal information in queries or feedback.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Your 1688 search terms and filters are sent to LinkFox to retrieve the ranking data.

Why it was flagged

The helper sends the user's query parameters to a LinkFox-hosted API endpoint. This is expected for the stated ranking-lookup purpose, but it is still an external network action.

Skill content

API_URL = "https://tool-gateway.linkfox.com/dld/productBillboard" ... data = json.dumps(params).encode("utf-8") ... with urlopen(req, timeout=60) as response:

Recommendation

Use this skill only for product-sourcing queries you are comfortable sending to LinkFox, and avoid including unrelated private information in search parameters.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill will not work unless a LinkFox API key is configured, and that key authorizes requests to the LinkFox service.

Why it was flagged

The skill reads a LinkFox API key from the environment and uses it in the Authorization header. This is purpose-aligned, but the registry metadata says no required env vars or primary credential are declared.

Skill content

key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_key

Recommendation

Confirm you trust the LinkFox endpoint and keep the API key scoped and stored as an environment variable rather than hardcoding it.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If the feedback endpoint is used, parts of the user's request or feedback may be sent to LinkFox.

Why it was flagged

The reference documentation includes a separate feedback endpoint that could transmit user interaction details if used. The provided code does not automatically call this endpoint.

Skill content

POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... "content": "Include what the user said or intended, what actually happened, and why it is a problem or praise"

Recommendation

Do not send feedback content that includes confidential business plans, credentials, or private user data unless the user explicitly agrees.